Mark Zuckerberg's former speechwriter Katherine Losse has reportedly warned
that Facebook employees had access to data including user passwords.

In an interview with the Guardian, Losse said that when she joined Facebook in 2005, customer support staff were each handed a “master password,” which allowed them to log in as any Facebook user and access all their messages and data.

She said that staff needed to have access to accounts in order to manage and repair user issues, claiming that it was common practice at the time for early-stage startups to give their staff access to customers’ personal information.

As many Facebook users use the same password for multiple accounts elsewhere on the internet, this raises significant security concerns.

However, Losse admitted that more secure forms of logging in to repair accounts have since been implemented, and Facebook has since confirmed that the social network now has “very, very strict processes” in place to control access to passwords and user information.

“Facebook is very highly regulated and places great importance on the integrity of the information people choose to add to it,” a source close to the company told the Telegraph.

Only two types of employees have access to user accounts – the user operations team, which works behind the scenes when issues are reported on Facebook, and the security team, which deals with bullying and harassment. However, this access is carefully controlled and logged on a daily basis.

A recent audit by the Irish Data Protection Commission found that Facebook has “an appropriate framework to ensure that all access to user data is on a need to know basis”.

Commenting on the news, Nick Pickles, director of privacy campaign group Big Brother Watch, said that this is another reminder that web users should constantly ask themselves who can access their communications.

“Whether it’s an administrator doing it themselves, or as we’ve seen with other services people resetting the administrator’s password and accessing it themselves, with any service like this there is always a risk of your privacy being compromised. The key difference with Facebook is that it is so much faster to identify the account of the person you’re trying to snoop on,” he said.

“Ultimately whether it’s health records or Facebook accounts, someone other than you is always going to need to have the ability to access your data, whether for security or service delivery reasons. The question people should be asking is just how much personal information you’re willing to be available in the first place.”

In 2009, a French hacker obtained access to a Twitter staff account, allowing him to view user accounts on the micro-blogging site. By resetting the employee's Yahoo password after guessing the "secret question", the hackers said he was able to find information about the staffer's Twitter login credentials.